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WHAT WE CLAIM IS : 

1. A detection system for detecting intrusive behavior in a first session on a computer, said 
first session comprising a plurality of applications invoked on said computer, and said computer 
having a computer operating system, said detection system comprising: 

(a) a plurality of first application profiles, v^herein each of said first application 
profile comprises a plurality of first data strings, wherein each first data string comprises a 
sequential mapping of instructions passed from one of said plurality of applications to the 
computer operating system during a second session on the computer; 

(b) a plurality of second application profiles, wherein each second application profile 
comprises a plurality of application segments, wherein each application segment comprises a 
pre-determined number of second data strings, wherein each second data string comprises a 
sequential mapping of instructions passed from one of said applications to the computer 
operating system during the first session on the computer; 

(c) an application counter; 

(d) a plurality of segment counters, wherein each segment counter corresponds to one 
of the second application profiles; 

(e) a plurality of data string counters, wherein each data string counter corresponds to 
one of the application segments in the plurality of application segments; 

(f) an equality matcher, wherein for each application segment, each second data 
string is compared to the plurality of first data strings comprising a corresponding application 
profile, and wherein if the second data string is not equal to any of the first data strings the 
equality matcher increments an associated data string counter; and 
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(g) a temporal locality identifier, wherein the temporal locality identified labels the 
first session intrusive if a ratio of the segment counter to a total number of segments in an 
associated second application profile exceeds an application threshold and wherein the first 
session is labeled intrusive if a ratio of the application counter to a total number of applications 
exceeds a session threshold, wherein the application counter is incremented if a ratio of an 
associated segment counter to a total number of segments in an associated second application 
profile exceeds a segment threshold, wherein the associated segment counter is incremented if a 
ratio of an associated data string counter to the pre-determined number of data strings comprising 
the segment exceeds an associated data string threshold. 

2. The detection system of claim 1, wherein the second session comprises non-intrusive 


UNIX operating system and the sequential mapping of instructions comprise a sequential 
mapping of UNIX system calls. 

4. The detection system of claim 1, wherein the computer operating system comprises a 
Windows NT operating system, and wherein the sequential mapping of instructions comprises a 
sequential mapping of object requests. 

5. The detection system of claim 1, wherein the first plurality of application profiles and 
second plurality of application profiles are created by a data pre-processor application. 

6. The detection system of claim 5, wherein the data pre-processor receives input from an 
auditing system integral to the computer operating system. 

7. The detection system of claim 5, wherein the data pre-processor creates the second 
plurality of application profiles in real-time. 


behavior. 


3. 


The detection system of claim 1 , wherein the computer operating system comprises a 
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8. The detection system of claim 5, wherein the equahty matcher and the temporal locality 
identifier receive input from the plurality of second application profiles in real-time. 

9. The detection system of claim 1, characterized by a false positive rate less than 4.0% and 
a false negative rate less than 1 1%. 

5 1 0. The detection system of claim 1 , characterized by a false positive rate less than 3.0% and 
a false negative rate less than 13%. 

1 1 . The detection system of claim 1 , characterized by a false positive rate less than 2.5% and 
a false negative rate less than 30%. 
^12. A method for detecting intrusive behavior in a first session on a computer, said first 

□ 

'i3l0 session comprising a plurality of applications invoked on said computer, and said computer 

01 

^ having a computer operating system, said method comprising the steps of: 

; ^ (a) creating a plurality of first application profiles, wherein each said first application 

. #^ 

profile comprises a plurality of first data strings, wherein each first data string comprises a 

u 

Q sequential mapping of instructions passed from one of said plurality of applications to the 

y 

Ql5 computer operating system during a second session on the computer; 
f (b) creating a plurality of second application profiles, wherein each second 

application profile comprises a plurality of application segments, wherein each application 
segment comprises a pre-determined number of second data strings, wherein each second data 
string comprises a sequential mapping of instructions passed from one of said applications to the 
20 computer operating system during the first session on the computer; 

(c) initializing an application counter; 

(d) initializing a plurality of segment counters, wherein each segment counter 
corresponds to one of the second application profiles; 


-28- 


ey Docket No.: CIG-103 

(e) initializing a plurality of data string counters, wherein each data string counter 
corresponds to one of the application segments in the plurality of application segments; 

(f) performing an equality matching algorithm, wherein for each application 
segment, each second data string is compared to the plurality of first data strings comprising a 
corresponding application profile, and wherein if the second data string is not equal to any of the 
first data strings an associated data string counter is incremented; and 

(g) performing a temporal locality identifying algorithm, wherein the first session is 
labeled intrusive if a ratio of the segment counter to a total number of segments in an associated 
second application profile exceeds an application threshold and wherein the first session is 
labeled intrusive if a ratio of the application counter to a total number of applications exceeds a 
session threshold, wherein the application counter is incremented if a ratio of an associated 
segment counter to a total number of segments in an associated second application profile 
exceeds a segment threshold, wherein the associated segment counter is incremented if a ratio of 
an associated data string counter to the pre-determined number of data strings comprising the 
segment exceeds an associated data string threshold. 

13. The method of claim 12, wherein the second session comprises non-intrusive behavior. 

14. The method of claim 12, wherein the computer operating system comprises a UNIX 
operating system and the sequential mapping of instructions comprise a sequential mapping of 
UNIX system calls. 

15. The method of claim 12, wherein the computer operating system comprises a Windows 
NT operating system, and wherein the sequential mapping of instructions comprises a sequential 
mapping of object requests. 
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16. The method of claim 12, wherein the first plurality of application profiles and second 
plurality of application profiles are created by a data pre-processor application. 

17. The method of claim 16, wherein the data pre-processor receives input fi-om an auditing 
system integral to the computer operating system. 

5 18. The method of claim 1 6, wherein the data pre-processor creates the second plurality of 
application profiles in real-time. 

19. The method of claim 16, wherein the equality matching algorithm and the temporal 
locality identifying algorithm receive input from the second plurality of application profiles in 
real-time. 

O 

BIO 20. The method of claim 12, characterized by a false positive rate less than 4.0% and a false 

01 

negative rate less than 11%. 

21 . The method of claim 12, characterized by a false positive rate less than 3.0% and a false 
negative rate less than 13%. 

22. The detection system of claim- 12, characterized by a false positive rate less than 2.5% 


bJ 

q1 5 and a false negative rate less than 30%. 


23. A detection system for detecting intrusive behavior in a session on a computer, said 
session comprising a plurality of applications invoked on said computer, and said computer 
having a computer operating system, said detection system comprising: 

(a) a plurality of neural networks, wherein each neural network is trained to identify a 
20 pre-determined behavior pattern for a corresponding one of the plurality of applications; 

(b) a plurality of application profiles, wherein each application profile comprises a 
plurality of application data for a corresponding one of the plurality of applications, wherein said 
application data is collected during the session; 
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(c) a temporal locality identifier, wherein when one of the plurality of application 
profiles is sequentially input to a corresponding one of the plurality of neural networks the neural 
network outputs a behavior indicator for each of the plurality of data strings in the application 
profile, and wherein if the behavior indicator meets a pre-determined criteria, a counter is 
5 incremented, and wherein if the counter has a high rate of increase the temporal locality 

identifier labels the application behavior intrusive, and wherein if a predetermined percentage of 
application behaviors are intrusive the session behavior is labeled intrusive. 
24. The detection system of claim 23, wherein the pre-determined behavior pattern comprises 
a non-intrusive behavior. 

g 

SIO 25. The detection system of claim 23, wherein the computer operating system comprises a 

01 

UNIX operating system and the application data comprises a distance between a sequential 

93 

: mapping of UNIX system calls made by a corresponding one of the plurality of applications and 

y I 

a pre-defined string of UNIX system calls, 
g 26. The detection system of claim 23, wherein the computer operating system comprises a 

y 

□15 Windows NT operating system, and the application data comprises a distance between a 

a 

□ sequential mapping of object requests made by a corresponding one of the plurality of 
applications and a pre-defined string of object requests. 

27. The detection system of claim 23, wherein the plurality of application profiles is created 
by a data pre-processor application. 
20 28. The detection system of claim 27, wherein the data pre-processor receives input fi"om an 
auditing system integral to the computer operating system. 

29. The detection system of claim 27, wherein the data pre-processor creates the plurality of 
second application profiles in real-time. 
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30. The detection system of claim 27, wherein the plurality of trained neural networks 
receive input from the plurality of application profiles in real-time. 

3 1 . The detection system of claim 23, wherein the pre-determined behavior pattern comprises 
a non-intrusive behavior and said system is characterized by a false positive rate less than 2.5% 
and a false negative rate less than 30%. 

32. The detection system of claim 23, the pre-determined behavior pattern comprises a 
intrusive behavior and said system is characterized by a false positive rate less than 10.0% and a 
false negative rate less than 9.0%. 

33. The detection system of claim 23, wherein the plurality neural network comprises a 
plurality of backpropogation neural networks. 

34. The detection system of claim 33, wherein each neural network in the plurality of 
backpropogation neural networks comprises an input layer, a hidden layer and an output layer. 

35. The detection system of claim 34, wherein a number of nodes in the hidden layer is 

a 

Q determined by testing a plurality of cases for each neural network in the plurality of 

pi 5 backpropogation neural networks and selecting the case wherein the corresponding neural 

^ network has a highest accuracy rate. 

36. The detection system of claim 23, wherein the plurality of neural networks comprises a 
plurality of recurrent neural networks. 

37. A method for detecting intrusive behavior in a session on a computer, said session 
20 comprising a plurality of applications invoked on said computer, and said computer having a 

computer operating system, said method comprising the steps of: 
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(a) training a plurality of neural networks, wherein each neural network is trained to 
identify a pre-determined behavior pattern for a corresponding one of the plurality of 
applications; 

(b) creating a plurality of application profiles, wherein each application profile 

5 comprises a plurality of application data for a corresponding one of the plurality of applications, 
wherein said application data is collected during the session; 

(c) performing a temporal locality identifying algorithm, wherein when one of the 
plurality of application profiles is sequentially input to a corresponding one of the plurality of 
neural networks the neural network outputs a behavior indicator for each of the plurality of data 


tpl 0 strings in the application profile, and wherein if the behavior indicator meets a pre-determined 

01 

43 criteria, a counter is incremented, and wherein if the counter has a high rate of increase the 

E s J 

f!^ temporal locality identifier labels the application behavior intrusive, and wherein if a 

Uj 

predetermined percentage of application behaviors are intrusive the session behavior is labeled 

5 

r-^ intrusive. 


pi 5 38. The method of claim 37, wherein the pre-determined behavior pattem comprises a non- 


39. The method of claim 37, wherein the computer operating system comprises a UNIX 
operating system and the application data comprises a distance between a sequential mapping of 
UNIX system calls made by a corresponding one of the plurality of applications and a pre- 

20 defined string of UNIX system calls. 

40. The method of claim 37, wherein the computer operating system comprises a Windows 
NT operating system, and the application data comprises a distance between a sequential 


n 


intrusive behavior. 
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mapping of object requests made by a corresponding one of the plurality of applications and a 
pre-defined string of object requests. 

41 . The method of claim 37, wherein the plurality of application profiles is created by a data 
pre-processor application. 
5 42. The method of claim 41 , wherein the data pre-processor receives input from an auditing 
system integral to the computer operating system. 

43. The method of claim 41 , wherein the data pre-processor creates the plurality of second 
application profiles in real-time. 

44. The method of claim 41 , wherein the plurality of trained neural networks receive input 
il 0 from the plurality of application profiles in real-time. 


-3 45. The method of claim 37, wherein the pre-determined behavior pattern comprises a non- 
f"" intrusive behavior and said system is characterized by a false positive rate less than 2.5% and a 


"J^ false negative rate less than 30%. 

46. The method of claim 37, the pre-determined behavior pattern comprises a intrusive 

w 

ril5 behavior and said system is characterized by a false positive rate less than 10.0% and a false 


47. The method of claim 37, wherein the plurality neural network comprises a plurality of 
backpropogation neural networks. 

48. The method of claim 37, wherein each neural network in the plurality of backpropogation 
20 neural networks comprises an input layer, a hidden layer and an output layer. 

49. The method of claim 48, wherein a number of nodes in the hidden layer is determined by 
testing a plurality of cases for each neural network in the plurality of backpropogation neural 
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negative rate less than 9.0%. 
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networks and selecting the case wherein the corresponding neural network has a highest 
accuracy rate. 

50. The method of claim 37, wherein the plurality of neural networks comprises a plurality of 
recurrent neural networks. 
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